How ICS Security Attacks Can Cripple Smart Cities

The global population is becoming city-centric every day. As more people move to urban areas, smart city technology is becoming more relevant. Urban planners are using the latest data and technological advances to build more efficient and sustainable infrastructures to support this growing population. They are using artificial intelligence (AI) and the internet of things (IoTs) to create better industrial control systems (ICS) that can support traffic, energy, water, sewage, surveillance, telecommunications and more.

But smart city technologies also open up new vulnerabilities. Cyber attacks can bring these thriving smart cities to a standstill and create utter chaos. Ensuring cyber-physical security against local and foreign adversaries is the new challenge for today’s city planners.

Smart City Networks and End-Points Are Targets

According to Frost & Sullivan, smart cities are expected to create business opportunities with a market value of $2 trillion by 2025. Also, by the year 2050, over 80% of the populations of the developed nations are expected to move to cities. So the changing dynamics of urbanization is both a great opportunity and a threat to the future of sustainable cities.

Smart cities are creating their infrastructures using mesh networks and IoT end-points. Big data and cloud computing are providing the backbone. Here are some examples of how smart cities are implementing these solutions:

With the coordination of traffic lights and parking sensors, smart cities are able to better manage traffic patterns and decrease congestions.

Cities are using supervisory control and data acquisition (SCADA) systems to improve water and sewage management.

IoT sensors and integrated data systems are enabling metro transportations to provide more accurate information about arrival times of vehicles at train and bus stations.

Sensors in dustbins around the cities are allowing garbage collectors to optimize their routes rather than checking each dustbin individually.

Digital connectivity is allowing the implementation of these smart technologies. However, some of the smart devices are not sophisticated and they lack basic security safeguards. Cybercriminals are aware of the various weak points and they are ready to exploit the weaknesses.

Here are some examples of cyber attacks that took place around smart cities:

In April 2017, around midnight all of the 156 tornado alarm systems in Dallas city went off. The hackers had gained control. As the Dallas Office of Emergency Management (OEM) tried to figure out the problem, the city 911 lines got overwhelmed with calls from concerned citizens. The OEM had to shut down the emergency system to stop the alarms.

In March 2018, an attack on the Atlanta City Government forced Hartsfield-Jackson airport, one of the busiest airports in the US, to shut down its WiFi network. Security wait times and flight information was unavailable. Passengers struggled to figure out how to navigate the airport. The whole airport ecosystem was in turmoil without the WiFi network.

In November 2016, cybercriminals were able to infiltrate the San Francisco's Municipal Transportation Agency’s Windows 2000 servers with a ransomware and demanded 100 bitcoins, equivalent to $70,000 at the time, to release the hacked systems. Fortunately, the transportation agency was able to get the systems up without having to pay the cybercriminals.

Attacks on ICS systems and mesh networks are not a new phenomenon. It’s not even only an external problem. A lack of proper security protocols can cause problems from within. In 2001, a disgruntled employee of the Maroochy Water Services in Australia sent commands to the company’s SCADA system which led to 140 pumping stations spilling millions of gallons of sewage around the Sunshine Coast suburb. The whole area was overwhelmed with the smell of sewage disrupting the daily lives of residents.

What Can Smart Cities Do?

Naturally, urban planners and smart city governments are proactively seeking ways to make their cities infrastructure and ICS systems safe from potential threats. Smart cities have to look at their security needs both at the macro and the micro levels. Here are some things to consider:

Implement Cyber-Physical Security

Smart city technologies occupy both the physical and digital worlds. So the cities need to address both spaces. Most IT solutions only try to secure the digital component. In a smart city environment, it’s necessary to find solutions that will prevent attacks in the operational technology (OT) domain too. So a comprehensive cyber-physical security solution is a necessity for today's smart cities.

Use Secure Mesh Networks and Wireless Integration

High-performance mesh networks and wireless technologies are the building blocks of a smart city grid. But it’s important to use mesh network and WiFi solutions that can provide robust security for a vast range of network topographies and applications. The solutions need to have various levels of authentication mechanisms to allow more secure communication between various components.

Provide Better Perimeter Management

ICS systems that support smart cities have to deal with a lot of complexity. So automation through centralized management should be an integral part of the system. It will allow cities to ensure security for large areas and key infrastructure without the need for increasing manpower. Automated entry-control systems for building gates and doors can provide better perimeter control for crucial infrastructures.

Emphasize Intrusion Detection

Most IoT end-point devices like cameras and sensors don’t have the necessary security capabilities. As these connected devices are increasing in smart cities, city planners need to upgrade to better intrusion detection systems (IDS). Better IDS will prevent hackers from easily infiltrating smart city central systems by exploiting end-point vulnerabilities.

About the Author

Ben Garber is a cybersecurity applications engineer with Ultra Electronics, 3eTI, a leading cyber-technology company with products and solutions that secure critical infrastructure in industrial and government markets. In his role at 3eTI, Benassists in the design, build, and testing of network security products, focused in critical infrastructure applications. Ben can be reached at [email protected]